The Cryptography of a BlockChain

[Updated on 2019-09-11]

By now you’ve all heard of a blockchain and that it’s the backbone of cryptocurrencies like BitCoin, Ethereum, LiteCoin and others.  I’m not here to tell you that blockchains are the solution to every problem or that blockchains are the next best technology that everyone will use.  You’ve heard that 100 times.  I’m going to explain, in as simple and straightforward a way as possible HOW a blockchain is put together and how cryptography is central and core to the whole thing.

You’ll discover, on your own, that putting a couple of old ideas together creates something phenomenally more powerful than the individual parts summed together.

First, let’s list the parts:

  1. A simple transaction (a record showing a FROM address, a TO address, an amount being transferred, and a time stamp).
  2. A “block”, which is just a list of transactions.
  3. Hashing (the result of a complex math problem using the numbers of all the bytes of a file (or a block and/or a transaction record)), to uniquely identify a larger chunk of data.
  4. Encryption

That’s it!  No, really!  A block chain and a cryptocurrency contain no more than that.  Well, a cryptocurrency needs computers to do the calculations for the hashing and encryption, etc…, but they just build  and validate the block chain.

So, here is what a block chain is in a nutshell:

  1. Every transaction ever taken place since the creation of the blockchain.
    1. The list of transactions are divided into “blocks”.  If you create your own blockchain, you get to decide how big a block is and how many transactions are placed in a block.  In BitCoin, for example, a block used to be 1MB max (it was updated in August of 2017 to be bigger).  A new block is added to the blockchain every 10 minutes… at least, on BitCoin, it’s every 10 minutes.
    2. The transaction is digitally signed by the sender so the network can confirm the owner of the cryptocurrency is truly authorizing the transfer.
  2. Each transaction in the block has a hash that uniquely identifies the transaction.  No 2 transactions will ever have the same hash.
  3. Once all transactions for the next block are ready, the hash from the prior block is added to the new block and that hash, plus all the transactions, are hashed to create a final hash of the new block.
  4. Critically important:  That prior hash being added to the new block is what LINKS the new block back to the prior block!  That’s what makes it a “chain”.  Each new block references the old one and the new block’s hash is dependent on the old one, which was dependent on ITS older one, and so on, all the way back to the first “genesis” block.  The new hash is the way it is because of ALL the older hashes are the way they are.  If any single transaction anywhere in the blockchain were different, so would ALL the hashes be different following that one.

That’s it!  Really, that’s all there is.

But, some really important things have happened as a result of those simple pieces:

  • Every processing computer on that network has a full copy of the entire blockchain.
  • There’s no central blockchain server.  The blockchain exists ONLY on the hard drives of the machines of the volunteers.

That means a hacker can’t hack “the bitcoin server” and change records, because no such central server exists.  He’d have to hack into EVERY bitcoin node and change it.  (Well, he’d have to hack at least 51% of them).

Something else important happens with the technology:

  • When a BitCoin node computes the hash of a block, it doesn’t just compute the hash ONCE, it computes TRILLIONS and TRILLIONS of hashes.  A single, home laptop, would probably take years to compute that hash.  Why? The network won’t accept just any hash.  The hash produced MUST match a pre-defined pattern.  Specifically, it has to, by pure chance, come up with a hash that begins with a bunch of zeros.  The amount of zeros needed increases over time as computers get faster, to ensure that Moore’s law doesn’t overtake the network.  These hashing computations NEED to take a long time.  MANY BitCoin nodes are competing with each other to find that magical hash value.  The first one that finds it, submits it to multiple peers on the network for confirmation.  Confirmation is instant.  Once confirmed, the block is accepted into the blockchain and it’s distributed to every node on the network so they can all add it to their local copy of the blockchain.  And the computer that found the hash is awarded with 12.5 new BitCoins (worth about $92,000 at the time of this writing).  Those computers that spend all their time crunching numbers to produce those hashes are called “miners”.

So, why are miners required to compute all those useless hashes only to find yet another useless hash?  Because it has to cost the miners something to do it.  It’s too expensive to do that if there’s no reward, so a hacker is not going to waste their time doing it.  If a hacker tried to submit a false hash, the network would reject the false hash and would ban them from the network.  So, only hashes that actually went through the full AND EXPENSIVE computational process are accepted.

When a miner submits their hash, and it’s confirmed by other miners, that hash is a “proof of work”.

Again, WHY?

Aside from making it too expensive and mathematically improbable to submit false hashes, it makes it impossible to change records in the blockchain.  If you tried to change a record from 24 hours ago, you’d have to rehash it, then rehash the next block (because remember, the NEXT block has been hashed with the prior block’s hash… the one you’re CHANGING!).  You’d have to rehash EVERY block after the one you’re changing.  It takes about $1,000 worth of electricity to mine a block and thousands of specialized computers to get it done in time.  In a 24 hour period, there are 144 new blocks, so it would cost you $144,000 to rehash them all.  Every 10 minutes back in time of a transaction you’re trying to alter will cost you another $1,000 in electricity.

Then, you’d have to somehow hack 51% of all bitcoin mining rigs and REPLACE ALL their local copies of the blockchain.

There simply is not enough computer power in the world to accomplish that task, not even if you add all the world’s supercomputers owned by the NSA, Oak Ridge National Laboratories, China, etc…  Because while you’re doing that, the bitcoin network (the fastest supercomputer on the planet), is still churning out new blocks every 10 minutes.  You’d need the combined computational power of the ENTIRE bitcoin network, PLUS MORE to catch up with them.

It’s no longer a hacking challenge, but a thermodynamic problem that you simply cannot do with current technology.  It’s expected that a quantum computer would eventually be able to do that, but the BitCoin developer teams are working on new algorithms safe from quantum exploitation.  Side note:  It’s believed that current AES encryption is likely quantum-safe.

THAT is why any record written to the blockchain is permanent and unalterable.  That was accomplished with extra hashing of blocks and distributing copies of the blockchain all over the network.

Back to Cryptography

Hashing:  Again, hashing is taking a string of bytes, pushing them through a particular algorithm, and producing a fixed length, unique string of bytes, always the same size (for the SHA256 hashing algorithm, the one that BitCoin uses, that’s 256 bits long or 32 bytes long), regardless of the size of the original string.  A hash is non-reversible.  That means that you CANNOT reverse a hash to recreate the original data that was used.  Think of it in the same way you think of the remainder to a division math problem.  For example, 13/5 = 2, with a remainder of 3.  But how many other divisions have a remainder of 3?  An infinite number of them.  So, if all you have is the remainder, you have no way to determine what the original 2 numbers were.  That’s kind of how a hashing works.

Important to cryptocurrency (and blockchains):  You must have a “wallet” to keep your cryptocurrency in.  That wallet is simply this:  You create a new public/private encryption key pair.  Your private key is generated from random numbers put through an algorithm.  Your public key is generated from your private key by putting it through another algorithm.  Your wallet address is simply a hash of your public key.  You can freely give people your public key and your wallet address.  Your address is what you want people to have so they can send you money.

Signing:  For more details on signing, please see:

Understanding Encryption

But here’s a short explanation:  When you encrypt data, you use the recipient’s PUBLIC key.  When they DECRYPT your message, they use their PRIVATE key.  But, if you want to PROVE that YOU sent the message, you’d also SIGN it.  That simply means that you encrypt with your PRIVATE key.  The recipient DECRYPTS it with your PUBLIC key.  Anything encrypted with your private key can be decrypted with your public key.  Since your public key is public and anyone can decrypt your data with it that you encrypted with your private key, it’s not considered “decryption”.  And since ONLY YOU can encrypt anything with your private key and your public key can’t decrypt ANYTHING NOT encrypted with your private key, then that proves YOU are the one that encrypted it.  You digitally “signed” it.  That’s how you prove you created the content.

When you transfer digital money on a blockchain,  you digitally sign your transaction to move money out of your “wallet” (again, your wallet address is a hash of your public key).

The network refuses to transfer money from one address to another unless the transaction is digitally signed by the “from” wallet address’s owner.

Encryption: You don’t really encrypt anything in most blockchains, but I’ll mention encryption here, just so it’s not ignored from the conversation.  But “signing” and “hashing” are considered subsets of the larger “encryption” concepts.

Benefits of all these pieces of technology put together:

  1. An immutable (unchangeable), public ledger.  You never have to worry about someone changing a past transaction.
  2. Decentralized.  There’s no single place that a hacker can attack and no single place a dishonest website owner can manipulate, and no single place for a tyrannical government to shut down, and no single company to go out of business, tacking everything with it.
  3. You are 100% in control of your own cryptocurrency.  No one, not EVEN the government can technologically steal your funds or stop you from sending or receiving money on the blockchain.
  4. It’s virtually unhackable, not even someone with resources as deep as say the NSA.

See these images?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Check back later for updates too!

IRS Hell for BitCoin Users

Summary

2018 is the first year U.S. citizens have to file taxes on their cryptocurrency activities for 2017.  The limited “rules” the IRS has published do not cover the majority of types of activities and the information needed to accurately file taxes is simply not available to non programmers and is excruciatingly difficult to acquire, even for programmers.

Tax “Guidance”

In 2014, the IRS published a somewhat vague guidance on how to report cryptocurrency taxes.  It essentially boils down to:

  1. How much did you buy? 
  2. How much did you sell?
  3. What’s the difference?
  4. Send in 30% of your profits.
  5. Determine fair market value on the day of your transactions.

Here’s the actual 2014 IRS tax guidance document.

Reality

Unfortunately, reality is much more complicated than that.  Here are the real-world things that we have no clear rules on:

  1. What if I bought some prior to 2017?
  2. When I sell some, which of the MANY prior purchasing transactions do I apply the price to?  The price is different for every transaction.
  3. What about mining?
  4. What about mining hardware prices?
  5. What about price of electricity?
  6. I bought & sold on more than one exchange.
  7. I moved crypto between exchanges.
  8. I converted crypto from one to another.
  9. Prices at the moment of each transaction are not available when converting between currencies.
  10. Which price would we use, even if we had it?  There’s no universal price on any crypto.  Each exchange has its own, moving price that changes by the second.
  11. What about when a cryptocurrency forks, like BitCoin to BitCoinCASH and BitCoinGold?
  12. They say to use the fair market value of the day to determine prices on transactions, but that’s of no use since the price can swing thousands of dollars within a day.

My Experience

Since 2014, I’ve bought and sold crypto hundreds of times.  On some days, I’ve made dozens of trades in a single day.  In addition to that, I have accounts on 4 exchanges and also mine Ethereum.  I also traded between cryptos like converting BitCoin to LiteCoin and LiteCoin to Ethereum & Ripple & IOTA, etc., and moved crypto between exchanges like CoinBase, Kraken, Bitfinex, & Bittrex, and to and from my personal wallets,  and gained some crypto during forks, and lost some due to CoinBase not giving me my Ethereum Classic.

Over the past week, I’ve spent about 6-10 hours or so JUST on trying to gather what I understood would be needed for my tax accountant for cryptocurrency (not counting my usual taxes).  From the list above, you’ll get a rough idea of what I was going through to try to collect the information.

It’s 2018-03-31 and I finally finished my taxes.  Here’s how the day went:

I was woken up around 9:45 am this morning (I like to sleep late on Saturdays) by my tax accountant.  We spent a SOLID FIVE HOURS on the phone, trying to resolve everything (95% of that was related to cryptocurrencies).  This is their first year dealing with this.  I had to explain a lot about crypto and even the IRS’s rules.  She, apparently, had the same, uninformative PDF document from 2014 from the IRS too and just assumed it’d be as simple as they explain.  Reality is hugely different.

She wanted me to make it simple for her.  I wanted her to make it simple for ME.  That’s kind of why I’m paying her, right?  I spent hours gathering everything she could possibly need (minus the information that was just not feasible to get, but that we actually DO need).

It was simply not enough information, not just the lack of data that I didn’t have access to, but the lack of rules from the IRS.

Conclusion

The amount of effort trying to figure out just HOW to report my cryptocurrency transactions to the IRS was a nightmare and equals about the same amount of effort I spent throughout the year transacting and buying, learning, and setting up my Ethereum mining.  And it was significantly more frustrating than the actual crypto activities.

The IRS needs to get their act together, learn what it is we actually do, and come up with REALISTIC rules that we can actually perform.

After all the time and effort I spent preparing my taxes for my accounted, PLUS the amount of time we spent on the phone afterwords was insane and we STILL didn’t get everything.  We probably got about 85% of what was needed and I guarantee that what we reported was not right, but that was the best we could do.  I had tens of thousands of dollars in transactions.  With the limited information we had, she simply ended up using what I sent to her from the website CoinTracking.com, which is ONLY good for a SINGLE exchange.  So, I reported a $200 profit and paid taxes on that.  At least that is small, to keep my taxes down AND shows a “profit”, which should keep the IRS off my back, since I’m actually paying them something.  I was told that if I reported a loss, it would likely trigger an audit.

What?  Were you hoping to come here for a resolution to YOUR tax problems?  Sorry.  All I can offer is comfort that you’re not alone.  The IRS needs to get their act together and YOU need to click this link to contact your U.S. representative and explain to them the nightmare they’ve created for us.  Click the following link:

Find Your Representative

 

See these images?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Check back later for updates too!

Validating Digital PGP Signatures & Why it’s Important

Do you ever see the checksums, CRCs, SHA, or PGP signatures presented to you when you’re downloading a file?  Like this for example:

These are actually SUPER IMPORTANT!

What are those signatures?

They are, in a very very simplistic explanation, answers to a math function where the numbers given to the function are the bytes of the file you want to download.

Why are they important?

They are used to prove to you that the file you’re downloading hasn’t been tampered with.   HOW? you may ask?   Because only the valid, original file, with the original set of bytes in it could have produced that signature.  If you change just ONE byte in the entire file, no matter how big the file is, you’d get a DIFFERENT answer to the math function.

This is CRUCIALLY important for things like cryptocurrency wallets for cryptocurrencies like #BitCoin, #Ethereum, #LiteCoin, etc…  Hackers frequently publish TAMPERED versions of wallet software and if you install and run the hacker’s version, they’re going to steal ALL OF YOUR CRYPTO!  This has already happened many times.  Websites are compromised and hacked versions are put on their websites.

This brings up another important concept of signatures vs. the files they’re supposedly coming from:

A published signature is absolutely USELESS if it’s on the SAME website as the download file.  Why?  Because if a hacker compromises the download site, then you can’t trust anything on that site, including the signature.  You’ll find that MOST sites that publish a signature do so on one website, but the downloaded file is hosted on another website.  For BOTH the signature AND the file to be compromised by the same hacker, they’d have to hack BOTH of those websites, which is much more difficult.

How can I validate them?

You’ll need software on your computer that can compute the same types of signatures that the website publishes for their downloaded files.  In short, these are the steps (I’ll go into explicit detail shortly):

  1. Install some signature making and validating software onto your computer (Do this only once).
  2. Make note of the published signature for the file you’re about to download. (Do this for every download that offers it).
  3. Download the file (DO NOT EXECUTE IT!  It’s NOT trusted until you validate the signature!)
  4. Use the signature software to make or verify the signature of the downloaded file.
  5. If the signature checks out, the file is safe.  If it doesn’t, DELETE THE FILE!  DO NOT EXECUTE IT!

Detailed VALIDATION instructions:

Before you get overwhelmed, scroll to the bottom and see that once you’ve done all this once, future validations are really simple…. Just those 4 steps at the bottom.  But for now, you’ll need to go through this more lengthy setup process.

In this tutorial, we’ll be dealing with a downloadable executable file that offers a public PGP signature for you to validate against.  You should know that there are many forms of signatures that an author could choose to publish.  Other than PGP, there are SHA1, SHA256, SHA512, MD5 (which has been broken), and several others.  These are the most popular ones.

We’ll be downloading and validating a popular BitCoin wallet app.  For this type of app, it’s critical to validate the downloaded file against the published signature.

Yes!  This looks very involved, but the good news is that most of these steps are only needed to be done ONCE EVER.  Since this is your first time, there are many steps to get new things installed and set up right.  Subsequent verification will be much simpler and I’ll provide a list of steps to do after you have everything set up.

First, install some PGP key software on your computer.

  1. Install gpg4win from here: https://gpg4win.org/
    1. It will install a few utilities and a GUI app that will hold all of your PGP keys and certificates. (You don’t need to understand what those are at this point).
  2. Skip this step if you already have a public/private PGP key pair.  Create public/private keys for your own e-mail address.  You’ll need this later and it has other benefits such as being able to send and receive encrypted e-mail on any e-mail system.  See: STICK IT TO THE NSA: HOW TO ENCRYPT YOUR WEBMAIL
    1. Open the “File” menu and choose “New Key Pair”.
    2. On the box that opens, choose “Create a personal OpenPGP key pair”.
    3. Enter your name and e-mail address, then click “Advanced Settings…” and on the top 2 drop downs, change it to 4096 bits.  That’ll make your key orders of magnitude stronger.  If you want, feel free to check “Authentication” and “Valid until” and pick a date.  I recommend 1 year into the future.  If you choose a date, your key will not be trusted by anyone after that day.
    4. Click [OK], then [Next], then [Create].
    5. It’ll prompt you for a password.  To use your private key, you’ll need this password, so DO NOT LOSE IT!!!!!  Go ahead and enter it.
    6. After taking a few moments (and it WILL take a few moments), you’ll have a key pair.  If you want others to be able to send you encrypted data, I recommend clicking the button “Upload Public Key To Directory Service…”.  People will be able to look up your public key via your name or e-mail address.  But, it’s not needed for validating signatures, which is the primary purpose of this article.  Now, click [Finish].
    7. You’ll now have a new, certified key in your key ring.  PROTECT YOUR PRIVATE KEY WITH YOUR LIFE!!!!

If you’re interested in more details about what they private/public key pair is that you created, please see.  It’s not necessary to know all of that for this article, but it will clear up some confusion, if you have any.

Now, let’s do an actual Verification!

  1. Go to https://electrum.org/#download and view that page.  (Note, if you have the know-how and the means to download and build from the source code, ALWAYS do that rather than downloading a pre-built executable!)  Notice the signature links next to every download option?  THAT’S what we’re working with in this article.
  2. Click the Windows Installer and download it.  DO NOT RUN IT!  In the folder in which you downloaded the file, you’ll see a file named something like electrum-3.1.0-setup.exe.  As you can see, I’ve downloaded prior versions of the file too.  Notice that some of the files DON’T have “.exe” at the end?  We’ll fix that shortly.
  3. Back on the web page, click the signature next to “Windows Installer”.  You’ll see something that looks like this in your browser:
    1. -----BEGIN PGP SIGNATURE-----
      
      iQIcBAABCgAGBQJanWcrAAoJECvVgkt/lHDm/a8P/iyHkc+2zkaL2JpbhBMEnPE3
      qf21G0xOmkq9x9bfnKhCT1WYbpJrkjbeSCUSlfENbpjpud+ANCDNLA16n4T9eVPL
      0VrrejOTtH37OwJUI35v5asqmT6N4XcuokY+D2f0uSjd4Pnh+SQP9D5NAk0/1DeH
      WgtEfTKYfiPHzl6NJ3XcVjdMNl2H536OwFZx0x4u0nsdFoAvZgHIA/rrSWxMkN+C
      AbMtTd0pGqPYo5gJnHaoYkxbDIvq/CXRgaHFp0arPaKkYSwqkG/Q7KC1z1zbFLcq
      gD2z9tkj3toBzyCUNrmbmmGd491T6XbZujtiFYbjNhyMBjuBBR4V1sae/mzXoFDb
      LW3wwl8OsrnQlFfSN/NbqEFPSUIbFl5rFpK/LgV3YId7kbujXukKxfTHDce2OsjP
      U7a8QrUm7C3MTz4zAlgWWDwN3rioEzlfebe1qCQxI4hAu7vglOE+cW3UKJVh7zyM
      J21KKKzIO1EZz91t8EfHYrJMWL7Yl3/orgDOEjM2t1IAEm5znAzO0uBujBykgLXV
      A0mF3CP1/Vt+Wosc1aRn7+rzMH1nPpOiEoXYDALASc1mXnNA4oS3/vK9BtzJtZJm
      1jG/Zc+ubB7ybUjKP6e9Z0O8eGX2sWdaqPZCXm2ZNpRidPV6S0Y4mVuoPWb1CIg2
      wJlzoxNsCRk4Ox7qOv6e
      =cof+
      -----END PGP SIGNATURE-----
  4. Click anywhere on the text and hit [Ctrl]+[A] to select all of that text, then [Ctrl]+[C] to copy it.  Or you can select all the text with your mouse and copy it.  You’ll be pasting it into a text file shortly.
    1. DO NOT COPY THE PGP SIGNATURE FROM MY ARTICLE TEXT!!!
  5. Open the folder to where you downloaded the Windows Installer file.  It should be named something like electrum-3.1.0-setup.exe.  Obviously, if you’re reading this in the future, there will likely be a newer version.  This is the latest version at the time of this writing.
    1. Right-click on any empty, white space in the folder and choose “New”, then “Text Document”.  A new, empty text file will be created.  Ignore the extra menu items I have.  I’m a developer and have extra features installed that you might not.
  6. Now hit enter to open the empty text file and paste the PGP key into it (from step 3.1 above, you should have the text in your copy buffer (or “clipboard”) still).  Hit [Ctrl]+[V].  This will paste the text you already had copied from 3.1 above into the text file.  Now hit [Ctrl]+[S] to save it.  And finally CLOSE notepad (or whatever text editor you’re using).
  7. Now rename the text file to exactly the same name as the downloaded electrum exe file, but with “.pgp” added to the end of the filename.  In my case, I rename the text file to electrum-3.1.0-setup.exe.pgp
  8. Now, let’s fix that problem where the file types (also called “file extensions”) are hidden.  While looking at the filename that you downloaded in Windows Explorer, open the “View” menu or tab.  On the right hand side (you might have to resize the window to something bigger to see it), open the “Options” drop down and choose “Change folder and search options”.
  9. On the “Folder Options” that opens up, click on the “View” tab and check OFF (or UN-check) the box “Hide extensions for known file types”, then click “OK”.  It should NOT have a check-mark in it.
    1. You’ll see the files changed from this…
    2. to this…  (again, these are MY files, you may have more or fewer and certainly different files in your downloads folder).
      1. It’s VERY important that you see the FULL filenames.  Before this, the electrum-3.1.0-setup.exe.pgp file looked like it it was named electrum-3.1.0-setup.exe and as you can see, there’s actually ANOTHER file that actually has that name.  Why Microsoft hides these by default is beyond me.   All it does is create confusion is severely increases the risk of hackers tricking you into launching a malicious program when you think you’re opening a safe text file or a picture file.
  10. LET’S DO IT! Let’s make an attempt to actually verify the PGP signature of the file.  Spoiler alert:  It won’t work, but that’s OK.  It will walk us through what we need to do.  Right click your newly created and renamed file that you added “.pgp” to the end of the filename on.  In my example, it will be electrum-3.1.0-setup.exe.pgp , and then choose “More GpgEX options”, then “Verify”.
  11. The verification process will complete as verified, but not fully verified…
    1. Here’s what’s going on.  The EXE file DID verify against the PGP signature, but the signature, itself, is not known to be trusted.  At least, your verification software you’re using (called Kleopatra) does not know the signature to be from a trustworthy source.  You’ll have to TELL IT that you trust that author’s key.  Once you do that, Kleopatra will fully verify everything produced from that author, signed with his same keys.  Click the “Search” button.  This will search on several public PGP key stores on the internet for one that contains that PGP key you have from that author.
      1. It SHOULD find a key from ThomasV@gmx.de after a minute or so…
      2. Click his e-mail address and then click the “Import” button.  That will import his public PGP key into your PGP keyring.  This will make it available for future use by you to validate new versions of this app and others from the same author.  You won’t have to go through all of these steps again for future downloads from him.
  12. Now we need to CERTIFY his signature.  This simply means we’re going to tell our local install of Kleopatra that we TRUST the key from ThomasV.  Open your start menu and find Kleopatra and launch it.
    1. It will show you all the public and private PGP keys you have installed.  Here’s what MINE looks like.  Yours may have only the one key from ThomasV and your own key.  (I’ve blurred my personal keys).
  13. Now, we’ll certify ThomasV’s key.  Right click his key (anywhere on the line with his e-mail address in it) and choose “Certify…”
  14. Check ALL the boxes on the “Certify Certificate” dialog box that pops up, then click “Next”.
  15. Now you need to tell it which of YOUR keys you want to certify it with.  It should show you all your keys that you already installed for yourself.  Select the one you wish to use to validate.  It’s not critical which one you choose, but I recommend choosing the latest one of yours that’s not expired and is associated with your most used e-mail address.  And select “Certify only for myself”, then click “Certify”.  (I’ve blurred all my personal signatures).
    1. You’ll see the following once Kleopatra has marked his certificate as validated by your own key.  We do this to make the software validation work.  Most of these steps are a one-time deal.  You will not repeat all of these every time you want to validate a signature on software.
      1. Click [Finish] and you’ll see your list of installed keys and see that his key is now marked as “certified”.  This is good.  This will REDUCE the number of steps to validate software from him in the future.
  16. Now, one more time, let’s right-click the electrum-3.1.0-setup.exe.pgp file you created, choose “More GpgEX options”, then “Verify”.  This time, you’ll get FULL VERIFICATION!

Congratulations!  You’ve now validated that the Electrum BitCoin wallet software is safe, unmodified, and from the original author.  It is safe to install.  Please note, this was NOT an article about installing the Electrum BitCoin software.  It was an example of how to validate software signatures from ANY software you download (as long as the author provides you validation signatures).  We could have used countless other apps to do the same thing.

It’s MUCH easier the second time!

Yes, I know.  That was quite a lot of work to do.  But that’s only because you’re new to this AND you had to install, configure, and create lots of new things.  Now that you’ve done it once, doing it again will be much less effort.

From now on, all you do is the following:

  1. Get the PGP signature of the file you want to download and save it into a text file.
  2. Download the file you want.
  3. Rename your PGP signature file to exactly the same name as the file you download, but with “.pgp” appended to the end of the file name.
  4. Right-click that pgp file, choose “More GpgEX options” -> “Verify”, and it’ll either validate or report that it’s not valid.

That’s it!  And getting newer versions of the app will be the same 4 steps.

See these images?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Check back later for updates too!

LastPass: Turn Off Auto-Fill NOW!

There are many reports recently of malicious websites and malicious scripts in ads and comments on websites that generate login name and password fields on legitimate sites that trigger LastPass and other password managers to auto-fill with your credentials, allowing the bad actors to literally steal your login credentials, without you doing anything except innocently visiting your favorite sites.

Side note:  This is a REALLY GOOD reason to turn on 2-Factor Authentication.

To turn off aut-fill in LastPass is pretty simple, but nearly impossible to find and know how to do with out someone else “in the know” showing you.

  1. On your desktop browser, open your LastPass vault.
  2. Click “Account Settings” in the lower left.
  3. Click on the “Never URLs” tab.
  4. Click the “Add” Button at the bottom of the dialog box.
  5. Now, you’ll need to do this 3 times, once for “Never Fill Forms”, “Never AutoLogin”, and “Never AutoFill Application”.  Choose “Never Fill Forms”, from the “Type” drop down and then type “all” (without the quotes!) in the “URL” box and click add.  Continue for “Never AutoLogin” and “Never AutoFill Application”.

That’s it!  From this point forward, LastPass will still work, but it won’t just blindly fill in your login name and password to just any field named “login” or “password”.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Encrypting Degoo Cloud Drive With Cryptomator

In this article in my series of “Encrypt All The Things!”, I’ll show you the specifics of encrypting a cloud drive using the Degoo.com cloud drive service. For a generic overview, that’s not Degoo specific, see:

If you use cloud drive services, of any kind, it’s critical that you do so ONLY with data that YOU have encrypted on YOUR END and that YOU are in control of the keys. Any service that handles the keys for you is NOT SECURE! The ONLY way your own data is secure is if YOU are in control of the keys. Some cloud drive services offer encryption at an extra price, which is crazy because you can do it FOR FREE with the added benefit of YOU being in control, NOT THEM!

The best way to ensure that you’re in control is for you to do the encryption yourself with software NOT provided by your cloud drive service.

In this article, I’ll show exactly how to do this with a commercial cloud drive service called Degoo.com and a free and open source encryption application called Cryptomator.

Create a Degoo account and install the software

First, you’ll need to sign up for the Degoo.com cloud drive service here.

100 GB Free Backup

Be sure to download and install the software. Don’t set up the download or sync folders yet. We need to get the encryption app installed first. BTW, Degoo has both free and paid options.

Install the Encryption App

Go to Cryptomator.org and download and install the software (It’s free and open source!). Once installed, you’ll need to setup one or more “vaults”, which are simply nothing more than a folder on your hard drive where encrypted files will be stored.

Set up a Cryptomator vault

First, you need to understand how Cryptomator works. DO NOT SKIP THIS!

The first time you run it, you will not have any vaults (encrypted folders). First, create a new folder on your drive in whatever way suits you best. This is where you’re going to have encrypted versions of your sync files stored.

  1. Click the “+” sign in the lower left and choose “Create New Vault” to create a vault.
  2. Navigate to the folder you want to store your encrypted files (the folder should be blank, right now) and give it a name, here I Cryptomator.
  3. Then create a password for it. DO NOT FORGET THE PASSWORD OR YOUR DATA WILL BE LOST FOREVER!!!!!
    1. I Highly recommend saving it in a password manager like LastPass.com. I also recommend using that password manager’s password generator to generate a long, random password for you.
  4. Create the Vault by clicking the “Create Vault” button. This stores a couple of small files in there that cryptomator needs.
    You’ll be prompted for the password again. This is not part of the vault creation process. You’re done. Now you’re ready to use it like you will everyday. Now you unlock the vault by entering your password.
  5. Click the “more options” button to see what you have available. Those options are pretty self-explanatory. I’ll skip those and let you choose how you want to configure it.

Your vault is now unlocked and is opened in a Windows Explorer window, usually as drive letter Z:.

The real folder on the real drive is here (below) (depending on where YOU chose to create it… this one is mine):

Now, I can store files in my Z: drive (as long as my vault is unlocked) and I can use any apps I want to read and write to the Z: drive. Everything works normally. Apps that read and write there have NO IDEA that they’re reading and writing to an encrypted folder.

You’ll notice that in Documents\deleteme\test (again, that’s where I created mine; yours will be where ever you put yours), you’ll see a “d” folder and 2 masterkey files. Those masterkey files have an ENCRYPTED version of your key. No one can decrypt it without knowing YOUR password that you just created.  This masterkey file WILL BE ON THE REMOTE SERVER, so this is why you need a STRONG password, preferably random characters generated by a password manager.

As you save more files into your Z: drive, you’ll see more files show up somewhere under Documents\deleteme\test (again, MY folder is here, YOURS is where ever you put yours). The files that show up here have unreadable filenames and if you try to open them, they will have what appears to be garbage in them. These are the files you stored in your Z: drive, but these are encrypted.

Think of your Cryptomator unlocked vault Z: drive as a decrypted, magic window into your physical, encrypted files stored in their encrypted state in your Documents\deleteme\test (again, MY folder name I chose, YOURS will be different).

One caveate: Files in your Z-Drive CANNOT be larger than 2GB! That’s a limitation with the current version of Cryptomator.

I created a text file in my new Z: drive. As you can see below, Cryptomator created a file in the Documents\deleteme\test\d\WQ folder with a funky name. That’s what’s REALLY stored on my REAL hard drive. If I try to open the funky named file, it looks like garbage bytes. Both of those windows are showing the SAME data, it’s just that the REAL data is encrypted (top window). The bottom window is a VIRTUAL drive with an decrypted view of the data. ALWAYS remember this! You will NOT back up your Z drive! EVER! You’ll back up and/or sync your Documents\deleteme\test folder. More on that later.

Now, how to sync your encrypted files with Degoo.com

Now that you have a folder that contains your encrypted files and an easy way to use the the encrypted files (your cryptomator Z-drive), you need to sync the encrypted files to your Degoo.com account. DO NOT SYNC OR BACK UP YOUR Z: DRIVE!!!!!!

  • If you haven’t already, download and install the software on Degoo.com and create an account.
  • When you open it, click on the “Choose what to backup” tab. The actual folders on disk that are being backed up are each in their own cryptomator vault folder with encrypted files.
  • Click the “Add folder to backup…” button and navigate to your Cryptomator vault folder… the one with the unreadable encrypted files NOT YOUR Z-DRIVE!!!! and click “Add folder to backup”
  • Your folder will be added to your list of folders to be backed up.

Now, you’re all set. Anything you put into your Z-Drive is automatically encrypted at the time it’s written and since the real folder with the encrypted files is the one that’s backed up, you automatically get your data backed up in addition to automatically encrypted. Now, no matter how malicious anyone at Degoo may be (I have to reason to believe the are (or aren’t)), your privacy is safe. They cannot see anything other than what you see when looking at the encrypted version of your folder. Unless they have your password to your vault (which, of course, should be DIFFERENT from your Degoo password), they’ll never be able to see the contents.

But that was hard!

No it wasn’t! And, the small amount of work you did above is only done when creating a new vault and installing everything for the first time. Once it’s done, here’s all you need to do moving forward:

  • Turn on your PC and log into Windows (or Mac or Linux)
  • Start Cryptomator and unlock your vault.

That’s it! You can even shorten that to not have to start cryptomator setting up your vault to save your password and auto-unlock on start.

You can also add more cryptomator vaults at any time.

Quick review:

In this tutorial you did the following simple steps:

  • Signed up with and installed Degoo.
  • Downloaded and installed Cryptomator.
  • Created a vault with Cryptomator.
  • Told Degoo to sync the encrypted version of your cryptomator vault.

That’s really all you did. And now, you’re protected both with encryption and with an automatic, encrypted backup.

What’s Next?

Just continue to use your computer with your Z-Drive as your unencrypted version of your data. You can even lock your vault and Degoo will continue to back up your data. Degoo doesn’t need you to have it unlocked because it’s NOT backing up the unencrypted files. It’s only backing up the encrypted bits.  Degoo isn’t even aware of the Cryptomator software.  From Degoo’s software’s point of view, all that matters is that folder with the encrypted files in it.

Conversely, the Cryptomator software is unaware of Degoo.  All Cryptomator knows is that you have a folder with encrypted files and it provides the means to unlock and use them.

You can create more vaults with Cryptomator, if you like and add them to Degoo as well.

You can create vaults inside your Google Drive sync folder, your Microsoft One-Drive sync folder, your DropBox sync folder, etc, etc… As many or as few as you want.  Cryptomator works by encrypting any folder and providing an unencrypted view of it.  Cloud drives work by backing up and/or syncing a folder.  Put the two of them together and you’ve got a robust and secure backup strategy.

I do strongly recommend you make a cryptomator vault in EVERY cloud drive sync folder and move all your non-encrypted files INTO your virtual drive letter created for that vault.

WARNINGS!

You MUST obey the following rules!!!

  • Don’t write files directly into your real folder that contains the encrypted files. If you do that, it will be backed up AS-IS… WITHOUT ENCRYPTION!
  • Do NOT backup your Z: drive (or whatever drive letter cryptomator makes for you). That is DECRYTPED and if you back THAT up, you’ve wasted all your time and effort and are NOT storing an encrypted version of your files. Your Z: drive should ONLY be used for your normal work. DO NOT BACK IT UP!!!!

You are, of course, free to break these rules, but your secure backup is not going to be encrypted if you do break them.

Forbes.com E-Mail List Hacked!

The Forbes.com e-mail list has been compromised.  How do I know?  I create a unique e-mail address for everything online that I subscribe to.

When I get spam, I check the address the spammers sent it TO, to determine who’s responsible for either giving my address away or who’s responsible for not protecting our private data.

In this case, it is definitely forbes.com.  As you can see in the pasted spam e-mail, the address they sent it to is one of my addresses, but the only one where I have “forbes.com” in the e-mail address.

And, this is obviously not an authorized Forbes.com e-mail  message because it looks highly unprofessional, is an obvious scam, and all the links point to .ru websites.  Those are in Russia.  Also, I never entered a prize contest on Forbes.

Forbes needs to get on the ball and protect your registration information and issue a warning to all of their subscribers.

Thank you for sharing this article.  See this image?

image

You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.